{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-13T04:37:14.476","vulnerabilities":[{"cve":{"id":"CVE-2026-21696","sourceIdentifier":"security-advisories@github.com","published":"2026-01-19T20:15:49.107","lastModified":"2026-02-02T20:40:21.660","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Starting in version 1.7.0 and prior to version 1.12.0, Wings does not consider SQLite max parameter limit when processing activity log entries allowing for low privileged user to trigger a condition that floods the panel with activity records. After Wings sends activity logs to the panel it deletes the processed activity entries from the wings SQLite database. However, it does not consider the max parameter limit of SQLite, 32766 as of SQLite 3.32.0. If wings attempts to delete more than 32766 entries from the SQLite database in one query, it triggers an error (SQL logic error: too many SQL variables (1)) and does not remove any entries from the database. These entries are then indefinitely re-processed and resent to the panel each time the cron runs. By successfully exploiting this vulnerability, an attacker can trigger a situation where wings will keep uploading the same activity data to the panel repeatedly (growing each time to include new activity) until the panels' database server runs out of disk space. Version 1.12.0 fixes the issue."},{"lang":"es","value":"Wings es el plano de control del servidor para Pterodactyl, un panel de gestión de servidores de juegos gratuito y de código abierto. A partir de la versión 1.7.0 y antes de la versión 1.12.0, Wings no considera el límite máximo de parámetros de SQLite al procesar las entradas del registro de actividad, lo que permite a un usuario con pocos privilegios activar una condición que inunda el panel con registros de actividad. Después de que Wings envía los registros de actividad al panel, elimina las entradas de actividad procesadas de la base de datos SQLite de Wings. Sin embargo, no considera el límite máximo de parámetros de SQLite, 32766 a partir de SQLite 3.32.0. Si Wings intenta eliminar más de 32766 entradas de la base de datos SQLite en una sola consulta, activa un error (error de lógica SQL: demasiadas variables SQL (1)) y no elimina ninguna entrada de la base de datos. Estas entradas son entonces reprocesadas indefinidamente y reenviadas al panel cada vez que se ejecuta el cron. Al explotar con éxito esta vulnerabilidad, un atacante puede desencadenar una situación en la que Wings seguirá subiendo los mismos datos de actividad al panel repetidamente (creciendo cada vez para incluir nueva actividad) hasta que el servidor de la base de datos del panel se quede sin espacio en disco. La versión 1.12.0 corrige el problema."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"HIGH","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-400"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-770"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:pterodactyl:wings:*:*:*:*:*:*:*:*","versionStartIncluding":"1.7.0","versionEndExcluding":"1.12.0","matchCriteriaId":"DB68BF14-2EEE-43EF-8AAC-DC858B1C623C"}]}]}],"references":[{"url":"https://github.com/pterodactyl/wings/blob/9ffbcdcdb1163da823cf9959b9602df9f7dcb54a/internal/cron/activity_cron.go#L81","source":"security-advisories@github.com","tags":["Product"]},{"url":"https://github.com/pterodactyl/wings/blob/9ffbcdcdb1163da823cf9959b9602df9f7dcb54a/internal/cron/sftp_cron.go#L86","source":"security-advisories@github.com","tags":["Product"]},{"url":"https://github.com/pterodactyl/wings/security/advisories/GHSA-2497-gp99-2m74","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}